Home page logo
/

snort logo Snort mailing list archives

Re: Signature Lookup Confusion
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 8 May 2013 16:36:41 -0400

IIRC ->  If I remember correctly.

On May 8, 2013, at 2:17 PM, Josh Bitto <jbitto () onlineschool ca> wrote:

Joel,

Quick question.....Your response did you mean to say Gozi Trojan IRC or IIRC? I think it might have been a 
typo......Well looking at the logs just from the flow of alerts I get IRC chat policy attempts....plus this one.



-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Tuesday, May 07, 2013 11:22 AM
To: Jeremy Hoel
Cc: Josh Bitto; snort-users () lists sourceforge net; waldo kitty
Subject: Re: [Snort-users] Signature Lookup Confusion

This was a User-Agent seen from the Gozi Trojan IIRC.  Probably 3 years old or so now, not sure how much use it is to 
identify Gozi anymore.  Although...


On May 7, 2013, at 2:18 PM, Jeremy Hoel <jthoel () gmail com> wrote:

Don't panic!  Grab your towel and it will all be ok.

Anything with a SID of 1 will have a normal rule file.. so if you use 
the default pulledpork and have all your rules in one file, then grep 
snort.rules for 2010645 and you'll see

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 
User-Agent (Launcher)"; flow: to_server,established; 
content:"Launcher"; http_header; nocase; 
pcre:"/User-Agent\x3a[^\n]+Launcher/iH";
reference:url,doc.emergingthreats.net/2010645;
classtype:trojan-activity; sid:2010645; rev:9;)


Do you have the packet data for the tripped alert?    Is the Launcher
part of the user agent or maybe in a cookie or a refer?  that kin of 
stuff really helps figure out if it's a FP or not.


Also, since this is a ET rule, I don't think it would work on the 
snort rule search.



On Tue, May 7, 2013 at 6:02 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
Thanks everyone! Yes it does help....No I haven't been able to go get 
my pop yet.....I'm kinda panicking at the moment about this

2013-05-07T10:38:26-07:00 firewall snort[62223]: [1:2010645:9] ET 
POLICY User-Agent (Launcher) [Classification: A Network Trojan was 
Detected] [Priority: 1] {TCP}

I've tried to do a search to find the definition of it and see why this fired. I don't want to block something that 
might be a false positive. Although the above has no hint of being a false positive I want to act on this quickly.

So I went here...
http://www.snort.org/search/

put in the 2010645...nothing came up.....put in the 1....nothing came up. That's my hang up right now is doing a 
search for reference of what a sid/gid happens....I want to be able to search it up and see by definition what is 
going on.



-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: Tuesday, May 07, 2013 10:52 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Signature Lookup Confusion

On 5/7/2013 13:24, Josh Bitto wrote:
I'm having a bit of a problem fully grasping how to search up rules 
that have been fired.....

2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1]
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification:
Unknown Traffic]
[Priority: 3] {TCP} 209.97.200.53:32459 ->  216.178.47.38:80


Ok so what I understand from the log is that rule 120 fired. Either 
I need

no sir... rule identifiers are in GID:SID:rev format... only the GID:SID are really necessary...

the above says Generator 120 fired its rule with SID 8...

Generator 120 is http_inspect...

its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"...

these are not "normal" rules like the *.rules files you download... these rules are built into the processor...

some caffeine or it's a horrible Tuesday for me to comprehend this, 
but I'm just not getting it. The instructions on how to search for 
the group id and the sid for some reason are not sticking. Can 
someone dumb this down for me....I'm gonna run out and get a pop and 
hopefully come back to someone who has awesomely helped me out.

does the above help?

Basically I want to be able to search for explanations on whatever 
event happens so I can determine if I need to take action or not.

this is where you might need to break out a pcap viewing tool like wireshark so you can look at the content of the 
network traffic that triggered the rule...
snort should have saved a pcap for you and this particular entry will likely be inside a large pcap containing 
other saved traffic from other alerts... you use the timestamp to determine the proper packet to look at and then 
work it from there...


FWIW: i've someone who is a client on a large Canadian cable network and they are getting hit by tons of these... 
we haven't yet determined why, though...

--
NOTE: No off-list assistance is given without prior approval.
     Please keep mailing list traffic on the list unless
     private contact is specifically requested and granted.

---------------------------------------------------------------------
--------- Learn Graph Databases - Download FREE O'Reilly Book "Graph 
Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by 
three acclaimed leaders in the field. The early access version is available now.

Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

---------------------------------------------------------------------
--------- Learn Graph Databases - Download FREE O'Reilly Book "Graph 
Databases" is the definitive new guide to graph databases and their 
applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

----------------------------------------------------------------------
-------- Learn Graph Databases - Download FREE O'Reilly Book "Graph 
Databases" is the definitive new guide to graph databases and their 
applications. This 200-page book is written by three acclaimed leaders 
in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault